SSH Tutorial – Dropbear server and OpenSSH client setup

About

This tutorial shows the steps in order to have two system communicating via SSH, the Secure Shell. SSH has been widely used for server tasks such as remote maintenance, still SSH can be used in a variety of systems such as embedded boxes. Many obstacles come during embedded development, SSH is one more tool that assists developers in numerous ways such as deployment & debugging tasks. This tutorial will cover requirements, key generation, authorization, among other important details; several instructions from this tutorial apply for other SSH clients and servers.

Target board

iMX 7D running Linux 3.14.52

Server: Dropbear 2016.73

PC

Ubuntu 14.04 running Linux 4.4.0-45

Client: OpenSSH

SSH overview

SSH is a software technology that permits system administration over insecure networks, it is a protocol that allows users to transfer files and perform remote login securely. Users can use conventional username and password authentication, but in the SSH world keys are widely used for a number of reasons; automation, security, self-provision and non-expiracy are just a few. This tutorial will show how to generate keys for both, server and client.

SSH Server / Dropbear Setup

Dropbear SSH is a small memory footprint SSH implementation, particularly useful for memory constrained environments such a embedded systems that run Linux.

Download

$ wget https://matt.ucc.asn.au/dropbear/dropbear-2016.73.tar.bz2

You can extract using the tar command or any other file management tool.

$ tar xpf dropbear-2016.73.tar.bz2

Configuration/compilation

This tutorial will not cover cross compilation in detail, for instructions you can run the configuration script that comes with the package:

$ ./configure --help

Mainly you’ll have to set the proper configuration options, for example

SCP

SCP has become quite used lately for network copy operations, still SCP doesn’t comes with the default Dropbear build. Setting/exporting the PROGRAMS variable enables SCP alongside the other components for the build:

PROGRAMS="dropbear dbclient dropbearkey dropbearconvert scp"

Having your configuration and variables set, you can compile the package using make.

Installation

Consider using the DESTDIR variable, so your binaries go to the destination filesystem (that will probably go the an SD card image).

$ make install DESTDIR=$YOUR_DESTFS

Connection requirements

For the client to request a connection, the target board needs to run the Dropbear server daemon. The Dropbear service needs also some requirements to work properly, this document will check those first.

SSH keygen for server

Keys are needed on both sides. For the target board the default location for the keys is the /etc/dropbear directory, create them using the dropbearkey command:

Dropbear is strict with permissions, set/check the permissions for the /etc/dropbear directory

chmod 700 /etc/dropbear

Pseudo terminals

For remote access the embedded target needs a mounted pseudo terminal device (/dev/pts), for a fully-featured embedded distribution you may not need to worry about this, if you are working with a custom distribution is good to make a check on this to discard login issues:

This command shows if there is a mounted filesystem with a ‘pts’ keyword match on it, this output shows that effectively there is a devpts mounted. Notice that permissions over this device can affect remote login, allowing some users to login and others don’t.

SSH login notes

Allowing login to a host system using Dropbear can present security implications. Depending on your implementation, it may not be recommended to use Dropbear for production. Considering any use case it is important to review the Dropbear configuration to avoid unintended security holes. During development, teams usually want full control over the target, this guide uses the root user for its examples. Here is an small checklist concerning user login:

Check user permissions and groups

Check that user directory and the respective .ssh/ directory exists, Dropbear may need it to look for keys

Check that the user will not have conflicts with the Dropbear service options you intend to use

Debugging notes

Is possible that your embedded distro still has something missing for Dropbear to work. Here are some tips to help you debug the Dropbear service:

Redirect Dropbear logs to stderr

dropbear -E

Run the ssh client with verbose

# ssh with verbose level 3
$ ssh -vvv root@192.168.1.3

Read the reference manuals, when Dropbear is built it also comes with man pages

Conclusion

Dropbear has become more present lately on embedded targets as a tool for development, working with SSH keys allow users to get rid of the password authentication step to perform network login and copy operations more straightforward. Watch for correct permissions (users, directories, ..) and server options to avoid unnecessary security holes in your system but to also have a functional working environment.